Marty Kokes

Recently at the company I work for we’ve been working on getting our Macs and PCs to all play nice together using the same repository for authentication.

We currently have an Active Directory domain in place with multiple domain controllers residing at multiple sites. All of our PCs are joined to the domain and all windows users have domain accounts. We also have multiple OS X servers at various locations functioning as standalone file servers. Each OS X server functions as its own user repository. In order for a windows machine to connect to one of the OS X machines an identical user account needs to be created to allow the windows credentials to pass through upon connection.

While this works in some scenarios at a certain point it becomes unmanageable. There are just too many accounts to keep synchronized. It becomes somewhat impossible to enforce an automated password change policy. So this was our problem and here are the steps we took to fix it.

Ideally to get the best of both worlds we needed to use both Active Directory and Open Directory. Active Directory would provide all of the user account authentication and Open Directory would be used to enforce system policies on the OS X machines. Here are the steps we took to make it happen and play nice with each other. A lot of the information was already available online Greg Priglmeier wrote a great document on it when he was working at the Minneapolis Star Tribune. You can find it here. It was written using OS X 10.3.x as the client operating system and I had to make some tweaks since we are running 10.4.x for the most part. Also we did some testing with 10.5 and at the time of writing it can best be described as being a little flaky. If you don’t feel up to tackling this on your own I’d recommend First Tech Computers to help you out. They’re very experienced with the process and you can find their site here.

Windows Active Directory

I’m taking into consideration that you already have a Windows Active Directory environment in place so I’m going to skip explaining how to set that up.

Set up a Open Directory Operations Master

1. Set up an OS X 10.4 server to be configured as your Open Directory Operations Master. I would recommend using a machine that can be dedicated to the role if your resources allow it. That way you have more control over when you can perform maintenance and such. During the install you will be prompted as to whether the server is…

a. Standalone Server

b. Connected to a directory server

c. Open Directory Master

You’ll want to choose Open Directory Master for this first server.

2. Once the installation is complete you will want to open up the Directory Access application this is located in Applications->Utilities->Directory Access

3. Here you will want to enter in your active directory domain and the computer ID of the machine you are using. Once entered hit bind. What you’re doing is pretty much the same thing as joining a windows machine to an Active Directory domain. The computer ID you specify ends up becoming the machine’s computer account within AD during the binding process.

4. You will be prompted for credentials when binding the machine to the domain just as you would with a windows machine. Use an account that has proper privileges to join machines to the domain.

5. Now click on show advanced options, I would recommend selecting the options shown above. Creating a mobile login allows the client OS to cache credentials, in the event that a domain controller isn’t available you will still be able to log in. Checking the require confirmation just ads in an annoying confirmation prompt when you first log in using a new account. If you specify home directories on you AD user properties you may also want to check the use UNC path option. This will auto mount the user’s home directory upon connecting.

6. Now you will want to click on the administrative tab. You can specify a preferred domain controller to be used for authentication. This would be if you have multiple domain controllers on various subnets and you want to reduce the amount of traffic across your WAN you could choose a domain controller on your LAN. As with a windows machine domain admins and enterprise admins automatically get admin rights over the local machine after binding. If you’d like you can add the domain user account of an individual user to give them administrative rights over the local machine.

7. Next up click on the Authentication tab up on top drag the active directory entry up so that it’s the second option, do the same for the contacts tab.

8. Congratulations you now have an Open Directory Master server that’s communicating with active directory! Next up we’ll connect an OS X workstation to AD.

Set up an OS X workstation with OD and AD

For the most part this is exactly the same as the server with a few tweaks but before we start I’d like to bring something up. If this is a clean install you don’t really need to do this but if this is a migration i.e. this workstation was previously used by a user using a local account there’s something you must consider. When you log into the machine using the AD login a new profile will be created on the machine. All of the users documents, pictures, mail, etc. will be gone. They’re still on the machine, but they’ll need to be moved into the new profile. Luckily I wrote a little script that will help make your life a little bit easier that I’ll include after these instructions.

Another thing to consider is that when you log OS X goes through the repositories we saw in the authentication list in order. As soon as it finds one that is able to authenticate your account it’ll stop there. It’s always going to check local first and this can’t be changed, so if the account is named exactly the same and it exists in both places it’s never going to get to AD.

Here’s my solution… delete the local account. When you delete a local account OS X wants to move all of the user’s items into a DMG file (BE SURE NOT TO SELECT DELETE IMMEDIATELY). After that you’ll be able to log in as the AD user and copy all of the data out of the dmg and into your new profile. This is precisely what the script I created does. One thing you’ll want to do is check that the free space on your hard drive is greater than the size of the dmg file that was created during the user account deletion.

So to start things of do the following

1. Enable the root account. To do this, go to Applications\Utilities\Netinfo Manager. Under security select enable root user. Enter in a password for the root account and hit OK.

2. Open up System Preferences then Accounts. On the accounts screen click on login options below the list of users. Be sure the option for display login window is set to name and password.

3. Log out and log back in as root

4. Go to system preferences\accounts from here delete the desired local accounts be sure to click ok and not delete immediately if you’d like to transfer any of that accounts setting and files to an active directory account.

5. Next go to Applications\Utilities\Directory Access

6. Enable Active directory and click on configure enter in your domain name and the name you’d like to use as the computer account. Click Bind

7. Authenticate using an account that is able to join machines to the AD domain.

8. Next click on Show advance options select the options shown above and if you’d like to mount a home directory you can select the “Use UNC path….” option as well.

9. Now click on the administrative tab. Select the first option if you’d like the machine to try to authenticate against a local domain controller before asking others. For the second option you can add in another AD group or account if you’d like to give them administrative control over the machine. Click OK at the bottom of the window.

10. So we’re all set up with AD now let’s configure OD. From the Directory Access screen enable LDAP and select configure.

11. Click on new to add a new OD connection

12. You will be prompted for the server name. Enter in the OD server’s DNS name or it’s IP address and hit continue

13. Now you will have the opportunity to bind the machine to Open Directory. Enter in a directory administrator’s credentials and click continue.

14. Next up click on the Authentication tab up on top drag the active directory entry up so that it’s the second option if it’s not there already, do the same for the contacts tab.

15. Log out and log back in using your AD account’s credentials it should appear as if you’ve just logged in as a new user. A new profile should have just been created for you. You are now authenticating against Active Directory and policies can be applied to your machine from the Open Directory Master server.

16. At this point if you’d like to copy items from the old local account over to the AD account log out and log back in as root.

17. Once logged in as root you can download a copy of my script here and copy it to the root of your hard drive. The script works by copying the contents out of a deleted user’s dmg file and replacing the contents of an existing user. In order for it to work properly you must be updated to at least 10.4.11 if not do so before running it. Please use it at your own risk as well, I’ve tested it thoroughly, but don’t hold me responsible if it hoses your computer:)

18. Open up a terminal (applications\utilities\terminal) and type the following commands

a. cd /

b. chmod 777 cp_profile.sh

c. run the script using this syntax ./cp_profile.sh %source_account% %destination_account%

d. So as an example if my old local account was named ‘mkokes’ and my new active directory account is ‘mkokes’ as well I would execute the command as ‘/cp_profile.sh mkokes mkokes’

e. If you had a large profile the script may take a while to run, be patientJ

19. Once the script is done running you can log out and log back in as the AD user. All of the files from the deleted account should now be present. Congrats! You’re done.